Based On The Virtual Execution Of Malicious Code Detection Technology Research

With the popularity of the Internet, malware increase rapidly, at the same time, due to the openness of the Internet and the inherent vulnerability of the operating system, computer security issues become increasingly prominent, especially the development and spread of computer viruses made a huge threat and destruction to social life. Facing the complexity and diversity of malicious software, traditional static detection methods based on signature could rarely detect unknown malware, in order to detect such malware, and avoid compromising operating system during the detection procedure, this article uses the malware behavior detection technology on a virtualized environmental.This thesie describes the main principles of current popular malware, its development trend as well as current detection methods. The defect of current detection methods is analyzed mainly, and a malware detection technology based on virtual execution environment is proposed, and system prototype is given too. This system has the following advantages:1.Isolation detection environment from the host machine. The detection system allows the application running inside virtual machine utilize the host resources as much as possible under the conditions of keeping the host unchanged, that is to say applications running on the operating system level virtual machine could share the running environment with the host, but the resource changes are limited inside the virtual machine. As in the virtual isolated environment, so even if the malware do not notice the environment difference and run as normal, or they detect virtual environments and prohibit the suspicious behavior actively, it will not affect the host too, thus avoiding a host malicious infection.2. This system adopte a weighted analysis techniques based on behavior analysis. After the behavior collection of the suspected program. when the weight exceeds a certain threshold, it can be decided to be malware, and the running behavior of the suspicious program is logged in detail.3. This system achieve the recurrence of the host environment. The system relies mainly on the system call redirection techniques, and the virtual machines share resources as much as the host, only the changed resources are kept by virtual machine.On the whole, the system can meet the isolation and the host environment recurrence goals, and can detect malware, experiment shows that this system is effective.